# Frequently Asked Questions (FAQ)

This page answers common questions about Wiredoor, how it works, and how to troubleshoot basic setup or usage issues.

---

## General

### Do I need a public IP to use Wiredoor?

Not necessarily — while the Wiredoor Server works best on a machine with a public IP address or publicly reachable domain (especially for exposing TCP services to the internet), it can also be used in corporate or internal networks where all nodes can reach the server.

---

### Do my services need public IPs?

No — your **internal services do not need to be publicly accessible**. Wiredoor connects to them through a reverse VPN tunnel using WireGuard, which allows exposure from completely private networks.

---

### Is Wiredoor open-source?

Yes! Both the server and CLI are fully open source. You can self-host everything and have full control over your infrastructure.

---

### Can I use Wiredoor without a public domain?

Yes, but:

- You will receive a **self-signed SSL certificate**
- Browsers may show security warnings unless you manually trust the cert
- You won’t be able to use Let's Encrypt

---

### Can I expose multiple services on the same domain?

Yes. You can:

- Expose **multiple services on different paths** using HTTP (e.g., `/app1`, `/app2`)
- Or expose **different services on different subdomains** (e.g., `api.example.com`, `admin.example.com`)

---

### Can I run Wiredoor on a VPS?

Absolutely. In fact, a Linux VPS is the recommended environment for hosting the Wiredoor Server.

---

### Can I use Wiredoor in air-gapped environments?

Yes, if the node can **initiate outbound connections** to the Wiredoor Server (even via a proxy or firewall rule). However, features like Let's Encrypt won't work without internet access.

---

### Is there a limit to how many services I can expose?

No fixed limit. It depends on your server's capacity and how many ports or domains you configure.

---

### What happens if I restart the server or a node?

If you restart the Wiredoor server, all connected nodes will automatically reconnect once the server is back online.
If you restart a node, it will only reconnect and restore its exposed services if the wiredoor service is enabled and running (daemon mode).

To ensure automatic recovery after a reboot, make sure you've run:

```bash
systemctl enable --now wiredoor
```

This keeps the connection alive and handles reconnections automatically.

---

## Connecting and managing nodes

### How do I connect a node to Wiredoor?

Use the command and follow the steps:

```bash
wiredoor login --url https://wiredoor_ip_or_domain
```

You can also create the node use Wiredoor Server UI and connect to that node using the generated token:

```bash
wiredoor connect --url https://wiredoor_ip_or_domain --token XXXXXXXXXXXX
```

---

### What is the difference between `wiredoor connect` and `wiredoor login`?

- `wiredoor login` is used by admins to authenticate and create a node directly from the CLI and connect to it.
- `wiredoor connect` is used to connect your service to an already created node using an existing token.

---

### Where is the Wiredoor config file located?

By default, it is located at:

```bash
/etc/wiredoor/config.ini
```

---

## Exposing Services

### How do I expose a local HTTP or TCP service?

Use: 

```bash
wiredoor http my-service --port 3000 --domain service.example.com
```

or

```bash
wiredoor tcp my-ssh --port 22 
```

Wiredoor assign unused port automatically in the range defined by `TCP_SERVICES_PORT_RANGE`

---

### Can I expose multiple services from the same node?

Yes, you can expose multiple HTTP or TCP services from a single node.

---

### Can I expose multiple services from the same node?

Yes, you can expose multiple HTTP or TCP services from a single node.

---

### Is it possible to restrict access to certain IPs or countries?

Yes, Wiredoor supports access control using the `--allow` and `--block` flags when exposing services. You can restrict access to specific subnets or IP address like this:

```bash
wiredoor tcp my-ssh --port 22 --allow 94.173.54.0/24 --allow 94.173.59.54/32
```

This allows only the defined subnets. If at least one `--allow` rule is specified, all other traffic is blocked by default. These flags work for both HTTP and TCP services.

---

## Security

### Is the Wiredoor connection secure?

Yes. All connections are established over an encrypted WireGuard tunnel.

---

### What kind of encryption does Wiredoor use?

Wiredoor uses WireGuard, which relies on modern cryptographic primitives like Curve25519, ChaCha20, and Poly1305.

---

### Can I rotate the connection token or credentials?

Yes. You can revoke and regenerate tokens from the server dashboard or CLI.

---

### How do I revoke access to a node?

You can manually delete or revoke access token and disable or delete the node.

---

## Status and Monitoring

### How can I check the connection status of a node?

Use:

```bash
wiredoor status
```

It shows connection status, active services, and health check.

---

### How do I know if a service is active or disabled?

Use `wiredoor status` or check in the Wiredoor Server Dashboard.

---

## Deployment and Maintenance

### How is deployed wiredoor server?

Wiredoor server is deployed using a docker image with simple configuration through environment variables.

---

### How do I back up my Wiredoor configuration and data?

Back up the local volumes `wiredoor-data` and `wiredoor-certbot`.
